Install the October 2019 Android Security Update ASAP
Google’s monthly Android security fixes are normally just for Google devices, but Samsung, Motorola, LG, Oppo, Huawei, and Xiaomi are all rolling out their own versions of the October 2019 security update to patch a major zero-day security vulnerability present on several Android smartphones. Those with vulnerable phones should make sure they download the patch as soon as it’s available sometime in the next few days.
The bug—which shows up in the security patch notes as CVE-2019-2215—allows a hacker to remotely root and take complete control of a device, though it requires the victim to install an infected app first (or the hacker uses the exploit in conjunction with a Chrome-based loophole to deploy the attack). The exploit is present on the following phones, though Google’s Project Zero cautions that other handsets could be affected as well:
- Google Pixel, Pixel XL, Pixel 2, and 2 XL
- Samsung Galaxy S7, S8, and S9
- Huawei P20
- LG models running Android Oreo
- Motorola Moto Z3
- Oppo A3
- Xiaomi A1, Redmi 5A, and Redmi Note 5
Google will start rolling out the October 2019 security patch Tuesday, and other manufacturers will likely have their own version live within the next few days. Keep an eye out for automatic update notifications, or check for the patch yourself by going to your phone’s Settings app and searching for “System Update.” (The exact pathway will differ depending on your device and version of Android.)
Google Project Zero reports that the bug has been successfully exploited, which raises some big questions regarding who is using it and why. The exploit itself was created by the Israeli online security firm NSO, who denies that it or any of its clients—which mostly consists of government groups and national security organizations—are actively using the exploit.
While it’s unlikely average Android users will be targeted by whoever is exploiting the bug, it’s severe enough that everyone should install the October 2019 security update once it’s available on their specific device, and those using any of the smartphones listed above should take extra care in the meantime. That means resisting the urge to install apps from unknown sources, installing a good anti-virus app, and being smart about your browsing—maybe even consider using a non-Chrome mobile browser.
If you’re interested in reading more about the bug and how it works, check out Ars Technica’s full report.